Description
Due to insufficient input validation, SAP CRM WebClient UI allows an unauthenticated attacker to craft a URL link which embeds a malicious script. When a victim clicks on this link, the script will be executed in the victim's browser giving the attacker the ability to access and/or modify information with no effect on availability of the application.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Affected products
- SAP_SE / SAP CRM WebClient UIS4FND 102 – S4FND 102
- SAP_SE / SAP CRM WebClient UIS4FND 103 – S4FND 103
- SAP_SE / SAP CRM WebClient UIS4FND 104 – S4FND 104
- SAP_SE / SAP CRM WebClient UIS4FND 105 – S4FND 105
- SAP_SE / SAP CRM WebClient UIS4FND 106 – S4FND 106
- SAP_SE / SAP CRM WebClient UIS4FND 107 – S4FND 107
- SAP_SE / SAP CRM WebClient UIS4FND 108 – S4FND 108
- SAP_SE / SAP CRM WebClient UIWEBCUIF 701 – WEBCUIF 701
- SAP_SE / SAP CRM WebClient UIWEBCUIF 731 – WEBCUIF 731
- SAP_SE / SAP CRM WebClient UIWEBCUIF 746 – WEBCUIF 746
- SAP_SE / SAP CRM WebClient UIWEBCUIF 747 – WEBCUIF 747
- SAP_SE / SAP CRM WebClient UIWEBCUIF 748 – WEBCUIF 748
- SAP_SE / SAP CRM WebClient UIWEBCUIF 800 – WEBCUIF 800
- SAP_SE / SAP CRM WebClient UIWEBCUIF 801 – WEBCUIF 801